I dont have an advance knowledge of htis but have been playing with packet sniffers for a while now and have couple of questions.
1.although we can figure out which app. a packet is going to by looking at the dest. port no.(for well known ports), but is there any other way to know who(app./service) is the data in a packet going to?
2. Is there a way to look at the payload of a packet in plain text or atleast in more readable form.

Thanks in advance,and please dont laugh if the Q sound silly. ;)

March 1st, 2004, 07:13 AM

pooh sun tzu

Completely possible, and here is a diagram how:

computer one --------- you ------ computer two

1. You would need to be running a packet sniffer (http://www.ethereal.com/) in promiscuous mode (where it only reads data, not filters it).
2. When computer one sends a packet, and you know for sure your computer is between computer one and two, then the packet passes through you, and is logged by your packet sniffer.
3. Packet sniffer sends it on to computer two.
4. you analyze the packet logs, content, and information regarding where, how, and from where :)

March 1st, 2004, 01:06 PM

Tiger Shark

Pooh:

Ethereal/Windump etc. do not need to sit between the source and destination they only have to be able to see the packets. The best way to be able to see the packets is from a hub.

But in doiexist's case it's even easier. With two machines he can run Ethereal on his target _or_ source machine and send the packets. They will be captured from either end and be easily readable. In fact he can run it on a single PC and just connect to the web etc. and he will see his own packets and their replies if he sets no filters.

doiexist: Much of what can be found in packets that is of interest is in hex. Google Ethereal and download it. Set it to just capture anything, visit a web site and stop the capture. You will see the details of every packet in the lower to sections of the screen. Clicking on a packet at the top shows the different types of info in the middle and clicking on the info types there drill down in the bottom section. Clicking on bits in the bottom window will highlight the appropriate info on the other side of the lower section. So if you click on a piece of the ASCII on the right It highlights the approriate hex on the left and visca versa.

Play with it and things will become clearer - use Google when you aren't sure what you are looking at.

PS: Don't forget to install WinPCap - the packet capture driver - it doesn't work without it. I believe you should get version 3.2 now.

March 1st, 2004, 01:22 PM

R0n1n

doiexist, keep in mind that the packet sniffer does not in anyway interfere with the packet or forward it on. Instead it listens in to all traffic and allows you to watch it as it goes by.

Ethernet works by sending packet information via MAC addresses on the local network, typically on a network where the packets passby more then one computer (i.e. where you are using hubs and not switches)only the machine with the correc MAC will actually read the packet and send a reply. A machine with its NIC in promiscous mode will instead read every packet that goes by regardless of the MAC.

As Tigershark mentioned, if you want to do this with a couple of computers you need them plugged into a hub, if they are in a switch then the switch is smart enough to only forward packets to the correct MAC, unless you set up a trunk port (or whatever it is called on your switch).

If you can also have a look at IRIS from eeye, and sniffer pro from network associates, although they are both commercial packages.

And I guess you are going to need to identify app specific traffic in the packets if you want to go beyond relying on the port addresses.

March 1st, 2004, 06:25 PM

doiexist

but..

Thanks guys,
but my real Q was how to actually decode the ASCI or the HEX code , meaning if its not aparent from the port no. in the TCP header, how do we tell which app/service is this data going to ? I dont have problems capturing them but reading them.?

March 1st, 2004, 06:53 PM

cgkanchi

Ethereal should tell you what kind of packet it is. Ethereal is great for stuff like that.

Cheers,
cgkanchi

March 1st, 2004, 07:05 PM

mohaughn

doiexist- In order to "decode" the contents of a packet you have to know what type of data you are looking at. For instance, if you are looking at a DNS packet, you can read the RFCs around how a DNS client communicates with a DNS server to determine exactly what the transaction is doing. If you are looking at HTTP traffic, the same thing applies. Ethereal does this for you in that filters and rules have already been written to decode the raw data for you.

In order to understand the data in the network capture you have to have knowledge of the protocol/application you are trying to look at. Different applications use different codes to mean different things when communicating between nodes. So there is no way to always "know" what something is doing.

If the network data you are looking at is the transactions between a piece of proprietary code that is not out in the public you may have to spend quit a bit of time determining what all of that hex code means.

March 1st, 2004, 10:54 PM

Relyt

A while back I downloaded Spynet, which consists of Capture Net (the sniffer) and Peep Net (the reconstructor). Unfortunately, I haven't used them yet to see if that's what your looking for. But here's the link:

SpyNet tells you what traffic is going through your system. If a hacker attacks your system, firewalls will tell you so in many situations. But sniffers grab the evidence. Until now, that evidence was very hard to figure out with the naked eye. But, SpyNet literally reconstructs their keystrokes and movements.

SpyNet will reconstruct web browsing sessions on your local network, it will even fake cookies for entry into password protected websites that were entered.

Anyone use this before?

March 1st, 2004, 11:42 PM

Tiger Shark

Relyt:

From their "agreement" prior to download

*****************************************
Terms of Use

Please read this document carefully before accessing the content on this website.

.................

We offer you the ability to unsubscribe from any opt-in e-mail (like newsletters) by using the unsubscribe procedures on the Web Site. However, even though you may have requested to NOT receive any opt-in email, by providing us with your email address or by using this web site you agree that TB may, from time to time, send you email that we believe may be of interest to you. If you do not wish to receive any communication from TB, you must:
Stop using any and all the services available on our web site and the content or intellectual property of ProgramFiles.com and its community of web sites, and
Notify us to have your Personalization Account cancelled, and
Request to have your email address(es) placed on our Restricted List to ensure you will not receive email OR cannot use the web site in the future. (Please send this notice to concerns@programfiles.com)

....... Followed by.......

Although TB has a strict policy of checking all software made available for downloading using up-to-date virus scanning technology, you understand TB cannot and does not guarantee or warrant that files available for downloading through the site will be free of infection or viruses, worms, Trojan horses or other code that manifest contaminating or destructive properties. You are solely responsible for implementing sufficient procedures and checkpoints to satisfy your requirements for safeguarding your computer systems and for developing and maintaining a means for the reconstruction of any lost data you might incur..

****************************************

I really don't like it already..... especially when, after 7 days, they will make me pay $79....

They abdicate all responsibility for the security of their product, they won't stop spamming you unless you jump through hoops and stop using their software, (does it call home????), etc. etc. etc.

Sounds good though....... :rolleyes:

March 2nd, 2004, 04:29 AM

Relyt

Tiger Shark,

Thanks for the info guess I won't enjoy it that much after all.

I did a little more research as well and, well, it's not good for sure:

The SpyNet Sniffer Changed Publishers:

The Spynet Sniffer (described below) was sold to eEye - Digital Security, enhanced (sort of), it's somewhat more attractive, and renamed the "Iris" Network Traffic Analyzer. That's the good news.

The bad news is that these folks must have a very different target market in mind than you or me, since their price for the sniffer is $1745 with $550 annual "maintenance fees"! Yikes!!!! I don't know who they're selling that to, but it's sure not me!

The sort of good news is that, like the original Spynet Sniffer, theirs DOES have a built-in 30-day free trial before it expires, and even more cool, it's 30 actual days of real use, not 30-days from the time it's downloaded.

So you can really get some use out of the best sniffer on the market for 30-days before needing to come to grips with the fact that it's "pay up (and how!) or give it up."